1. What is IT Due Diligence?
2. Why bother with ITDD?
3. Who undertakes the ITDD?
4. Understand the process of ITDD
8. Processes and controls
10. Strategy and Management
11. Need help?
Due diligence is the name given to an investigation to provide reassurance
that a transaction is fair and true, before completion.
The concept has been in place for many years and is important for IT systems
in particular, as they affect the smooth running and efficiency of the
It is commonly performed in the following circumstances:
● A company (Acquirer) is buying another company (Target), whole or in
● A company is raising money, either via loan or equity, and the lender
(e.g. bank or prospective shareholder) wants assurance that IT is
effective and is value for money.
● Owners/shareholders wants to demonstrate that systems are fit before
selling part or all of the business, or receiving an investment. (Vendor
What is IT Due Diligence (ITDD)?
● Imagine buying a house without a survey - you would
ask a surveyor to assess the house to make sure it is
in good condition and to avoid expensive repair bills
and to strengthen your bargaining position.
● All businesses now rely on technology (even if it is
only a smartphone), it is imperative to ensure
systems are adequate.
● For example, a failure in key business systems (e.g.
eCommerce, warehousing, communications,
manufacturing, logistics) could be expensive and
damage your reputation.
● Businesses experiencing a disaster scenario have a
high failure rate; the business could effectively be
Why bother with ITDD?
An ITDD may be performed internally or externally:
● An IT director or chief technology officer from
the Acquirer may investigate the Targets
● However, a preferred approach for both parties
would be to undertake an independent IT DD to:
o Ensure impartiality for both vendor and
o Offer transaction experience.
o Bring additional resource that may not be
Who undertakes the ITDD?
To complete the assessment, the independent ITDD assessor will need
information from the IT Team.
● Staffing - skills, expertise, key-person dependency issues.
● Technology - architecture and extensibility, scalability, robustness,
● Processes & procedures - policies, governance, documentation (systems
and strategic papers), suppliers and contracts.
● Strategy and management - a review of strategic plans and management
A formal report on findings and recommendations will provide a clear
snapshot of the current IT situation and its capability to support the business
Understand the process of ITDD
☐ Do IT staff have the right skills available to support the
☐ Check there are no key-person dependencies (especially in
critical system support and/or software development).
☐ Is there staff cover for service availability demanded by
☐ Is there reporting on analysis of staff turnover, appraisal
processes, development and training plans?
☐ Are procedures/processes documented including a staff
☐ Does everyone have a current job description and how do
salaries compare to the market rates?
People are often the biggest risk and cost; it’s important that the right
capabilities exist and are appropriately deployed.
☐ Is the hardware old and in need of imminent replacement?
☐ Is the current hardware (and firmware) appropriate, supported and
☐ Are systems robust, reliable and resilient - including infrastructure
such as data centres and internet provision?
☐ Do reports exist for security breaches (virus outbreak, network
hacks, data loss, physical impediment such as fire or flood)?
☐ Have the systems been tested for vulnerabilities?
☐ Is there an up-to-date record of all IT assets, including equipment
☐ Is there a backup regime; has a data restore been recently tested?
☐ Are plans in place for business continuity and disaster recovery?
Are the current hardware/infrasture systems capable of supporting the
☐ Is the software very old and in need of imminent replacement?
☐ Is the software current and supported?
☐ Are there any proprietary/ bespoke systems?
☐ Is any software developed in-house, and if so, is it developed
using a recognised software development framework (SDLC)?
☐ Is the source code carefully maintained?
☐ Understand the ownership of any IP (intellectual property).
☐ Does the helpdesk/service desk system fulfil its requirements
to provide (and report) IT support to the business?
☐ Is licensing adequately controlled and managed?
Understand the software utilised in the business, its effectiveness and
Processes and controls
☐ Key IT suppliers: Understand contracts & exit plans. Identify alternative suppliers and any
☐ Are key supplier performance metrics reviewed regularly? Benchmark costs to ensure value
for money and hold regular reviews (quarterly).
☐ Are Access Control measures in place, including password policy and “break- glass”
☐ Is there a policy for BYOD (bring your own device)?
☐ If WiFi is available, is there segregation between staff and guests?
☐ Has the business gained any assessment certification, such as ISO 27001?
☐ Are helpdesk and ITIL / Cobit adopted?
Understand procedures and authority to carry out the BAU (business as
☐ Is there a published SOP (standard operating procedures) guide?
☐ Are documents up-to-date and version controlled?
☐ Is there an IT standard product catalogue that’s published and
known across the business?
☐ Do documents exist relating to service level agreements (SLA)
with suppliers and internal business groups?
☐ Are bespoke software systems adequately documented?
☐ Is documentation available for IT strategy, project management
and change control?
Understand how documentation supports the IT operation.
Strategy and Management
☐ Is the IT strategy planning process in place?
☐ How is the strategy or roadmap documented?
☐ Is the IT budgeting reasonable and adequate?
☐ To what extent does technology feature at the Board
☐ Is the IT strategy aligned with the business strategy?
IT is critical to efficiency and staying ahead of the competition. IT DD
should address the following questions:
● Our checklist is a simplified snapshot/highlight
of typical questions, to provide food for
● In reality, every business will be different - for
example, online gaming will be different to
eCommerce - in terms of types of systems and
peak usage and security.
● We have over 30 experts, many from the Big 4
IT audit practices, who have undertaken
● We can tailor a cost effective plan based on
your requirements in the UK or around the
Roelof is a seasoned IT professional, corporate
(BP, Ernst & Young, Rentokil Initial, BDO) IT
problem solver, experienced across a range of
industries encompassing both mid-size and
Reporting on IT investment and performance
issues for private equity and corporate finance
Paul is a seasoned IT professional, having
served as a Head of IT for a variety of
corporates. Prior to joining DrPete, Paul was
an an IT Consultant advising clients of BDO
LLP. He also undertook a discrete project
assignment for Google.
Paul has worked in many diverse sectors, from
natural resources, to property management
and cryogenics, providing IT reviews, due
diligence and IT project management services.
About the authors
We use the latest cloud apps and technology paradigms.
DrPete Technology Experts:
We are members of the
European Cloud Industry
body - Eurocloud, where we
Our firm is regularly
featured as thought
leaders. We have been
featured in broadsheets
such as the Financial
Times, the Guardian, and
leading portals like the
We have regular columns in
CloudPro and Techradar.